b"U.S. SECURITIES AND EXCHANGE COMMISSION       OFFICE OF INSPECTOR GENERAL\n\n\n\n\nControls Over the SEC\xe2\x80\x99s Inventory of Laptop\nComputers\n\n\n\n\n                                                      September 22, 2014\n                                                          Report No. 524\n\n                                          i\n\x0c                                           UNITED STATES\n                            SECURITIES AND EXCHANGE COMMISSION\n                                       WASHINGTON, D.C. 20549\n    OFFICE OF\nINSPECTOR GENERAL\n\n\n                                      MEMORANDUM\n\n                                       September 22, 2014\n\n\nTO:           Jeffery Heslop, Chief Operating Officer, Office of the Chief Operating Officer\n\nFROM:         Carl W. Hoecker, Inspector General, Office of Inspector General\n\nSUBJECT: Controls Over the SEC\xe2\x80\x99s Inventory of Laptop Computers, Report No. 524\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG) final report detailing the results of our audit\nof the U.S. Securities and Exchange Commission\xe2\x80\x99s (SEC) controls over its inventory of laptop\ncomputers. The report contains four recommendations for corrective action that, if fully\nimplemented, should strengthen the SEC\xe2\x80\x99s inventory controls over its laptop computers.\n\nOn September 4, 2014, we provided you with a draft of our report for review and comment. In\nyour September 16, 2014, response, you concurred with our recommendations. We have\nincluded your response as Appendix III in the final report.\n\nWithin the next 45 days, please provide the OIG with a written corrective action plan that\naddresses the recommendations. The corrective action plan should include information such\nas the responsible official/point of contact, timeframe for completing required actions, and\nmilestones identifying how your office will address the recommendations.\n\nWe appreciate the courtesies and cooperation extended to us during the audit. If you have\nquestions, please contact me or Rebecca L. Sharek, Deputy Inspector General for Audits,\nEvaluations, and Special Projects.\n\nAttachment\n\n\ncc:    Mary Jo White, Chair\n       Erica Y. Williams, Deputy Chief of Staff, Office of the Chair\n       Luis A. Aguilar, Commissioner\n       Paul Gumagay, Counsel, Office of Commissioner Aguilar\n       Daniel M. Gallagher, Commissioner\n       Benjamin Brown, Counsel, Office of Commissioner Gallagher\n       Michael S. Piwowar, Commissioner\n       Mark Uyeda, Counsel, Office of Commissioner Piwowar\n       Kara M. Stein, Commissioner\n       Robert Peak, Advisor to the Commissioner, Office of Commissioner Stein\n\x0cAnne K. Small, General Counsel, Office of the General Counsel\nTimothy Henseler, Director, Office of Legislative and Intergovernmental Affairs\nJohn J. Nester, Director, Office of Public Affairs\nThomas A. Bayer, Director, Office of Information Technology\nPamela C. Dyson, Deputy Director, Office of Information Technology\nRhea Kemble Dignam, Regional Director, Office of the Regional Director, Atlanta\n  Regional Office\nRoderick Goodwin, Assistant Regional Director, Office of the Assistant Regional\n  Director for Operations, Atlanta Regional Office\nJulie K. Lutz, Regional Director, Office of the Regional Director, Denver Regional\n  Office\nChristopher Friedman, Assistant Regional Director, Office of the Assistant\n  Director of Regional Operations, Denver Regional Office\nAndrew Calamari, Regional Director, Office of the Regional Director, New York\n  Regional Office\nDarlene L. Pryor, Management and Program Analyst, Office of the Chief\n  Operating Officer\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                            OFFICE OF INSPECTOR GENERAL\n\n\n\nExecutive Summary                                Controls Over the SEC\xe2\x80\x99s Inventory of Laptop\n                                                 Computers\n                                                 Report No. 524\n                                                 September 22, 2014\n\n Why We Did This Audit                    What We Found\n Laptop computers (laptops) are           To evaluate the SEC\xe2\x80\x99s IT inventory program and its controls over\n portable and easy to conceal and         laptops, we reviewed a statistical sample of 244 laptops assigned to the\n often contain sensitive information.     SEC\xe2\x80\x99s headquarters and 3 of its regional offices. We also reviewed a\n Consequently, they are at risk of        judgmental sample of an additional 244 laptops assigned to those\n loss and theft and must be properly      offices, for a total of 488 laptops reviewed. We determined that the SEC\n safeguarded and accounted for. To        had addressed prior OIG recommendations about laptop accountability\n support the agency\xe2\x80\x99s mission,            and has controls for safeguarding laptops throughout their lifecycles.\n employees and contractors of the         However, we identified needed improvements.\n U.S. Securities and Exchange             Specifically, the SEC\xe2\x80\x99s IT inventory contained incorrect information for a\n Commission (SEC) use laptops,            significant number of laptops. For example, Office of Information\n some of which process and store          Technology (OIT) management decided not to update the inventory to\n commercially valuable, market-           reflect the correct location of 921 laptops that had been located at the\n sensitive, proprietary, and other        Operations Center, which the SEC closed in October 2013. OIT plans to\n nonpublic information. However,          update the location information for these assets when the ongoing\n recent Office of Inspector General       agencywide inventory is complete. The inventory also included incorrect\n (OIG) investigative and review work      location information for 82 (or about 17 percent) of the 488 laptops we\n identified weaknesses in the SEC\xe2\x80\x99s       reviewed, and incorrect user information for 105 (or about 22 percent) of\n laptop inventory records and             the 488 laptops we reviewed. In addition, 24 laptops could not be\n encryption controls. We initiated        accounted for, and 4 laptops were in the custody of users although the\n this audit to evaluate the               assets were not included in the inventory. Finally, the SEC\xe2\x80\x99s procedures\n effectiveness of the agency\xe2\x80\x99s            for sharing information about lost or stolen laptops were inadequate.\n information technology (IT) inventory\n program and its controls over            These weaknesses existed because personnel did not always\n laptops.                                 understand their roles and responsibilities, and related policies and\n                                          procedures were inadequate, had not been effectively communicated,\n                                          and were not consistently followed. As a result of our testing, we\n What We Recommended\n                                          questioned the reliability of the SEC\xe2\x80\x99s IT inventory and estimated that it\n OIT is undertaking an agencywide         may reflect incorrect information for over 1,000 laptops. Furthermore,\n IT inventory, which includes laptops,    we estimated that as many as 202 laptops assigned to the locations we\n and plans to replace its IT inventory    reviewed may be unaccounted for. By not ensuring that inventory\n management system. However,              records are accurate and that all laptops are accounted for, the SEC is\n additional actions are needed to         not consistently safeguarding sensitive assets and may be unaware of\n improve the agency\xe2\x80\x99s controls over       lost or stolen laptops. In the event that lost, stolen, or otherwise\n laptops. We made four                    unaccounted-for laptops are not protected by encryption software, which\n recommendations for corrective           we reported as a finding in our May 2014 Review of the SEC\xe2\x80\x99s Practices\n action that address policies and         for Sanitizing Digital Information System Media (Report No. 521), the\n procedures for maintaining               SEC is at risk for the unauthorized release of sensitive, nonpublic\n inventories of laptops; coordination     information.\n between OIT organizations;\n notifications about unaccounted-for      We also identified a lack of segregation of duties and compensating\n laptops; and a review of IT inventory    controls in the SEC\xe2\x80\x99s IT inventory management system. Specifically, at\n management system user                   least 88 employees and contractors with access to and custody of\n accountability. Management               laptops also have the ability to delete asset records from the inventory\n concurred with the                       database. This creates opportunities for the misappropriation of laptops\n recommendations, which will be           without management\xe2\x80\x99s knowledge.\n closed upon completion and              For additional information, contact the Office of Inspector General at\n verification of corrective action.      (202) 551-6061 or http://www.sec.gov/about/offices/inspector_general.shtml.\n\n                                                           i\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                                            OFFICE OF INSPECTOR GENERAL\n\n\n\nTABLE OF CONTENTS\nExecutive Summary ..................................................................................................... i\n\nBackground and Objectives .......................................................................................1\n          Background ................................................................................................................. 1\n          Objectives .................................................................................................................... 6\n\nResults ........................................................................................................................7\n          Finding 1: The SEC\xe2\x80\x99s Laptop Inventory Controls Need Improvement .......................... 7\n          Recommendations, Management\xe2\x80\x99s Response, and Evaluation of Management\xe2\x80\x99s\n             Response ............................................................................................................. 15\n\n          Finding 2: Lack of Segregation of Duties and Compensating Controls in the ITSM\n             System ................................................................................................................. 17\n          Recommendation, Management\xe2\x80\x99s Response, and Evaluation of Management\xe2\x80\x99s\n             Response ............................................................................................................. 17\n\nTables and Figure\n          Table 1. Distribution of SEC Laptops by Location ....................................................... 1\n          Figure. Lifecycle of an SEC Laptop ............................................................................. 5\n          Table 2. Statistical Sampling: Summary of Existence Testing Results and\n             Projections of Incorrect IT Inventory Information by Location ................................ 10\n          Table 3. Judgmental Sampling: Summary of Completeness Testing Results and\n             Incorrect IT Inventory Information by Location ...................................................... 11\n          Table 4. Statistical Sampling: Summary and Projections of Unaccounted-for\n             Laptops by Location.............................................................................................. 12\n\nAppendices\n          Appendix I. Scope and Methodology ......................................................................... 19\n          Appendix II. Federal Laws and Guidance and SEC Administrative Regulations,\n             Policies, and Procedures ...................................................................................... 24\n          Appendix III. Management Comments ....................................................................... 26\n          Appendix IV. OIG Response to Management Comments .......................................... 28\n\n\n\nABBREVIATIONS\nAMB                            Asset Management Branch\nARO                            Atlanta Regional Office\nCSIRC                          Computer Security Incident Response Center\nDRO                            Denver Regional Office\nGAO                            Government Accountability Office\nIT                             information technology\nITSM                           Information Technology Service Management\nlaptop                         laptop computer\n\n\n\nREPORT NO. 524                                                       ii                                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                   OFFICE OF INSPECTOR GENERAL\n\n\nNYRO                 New York Regional Office\nOIG                  Office of Inspector General\nOIT                  Office of Information Technology\nOMB                  Office of Management and Budget\nRev.                 Revision\nRFID                 radio frequency identification\nSEC                  U.S. Securities and Exchange Commission\nSECR                 SEC Administrative Regulation\n\n\n\n\nREPORT NO. 524                            iii                      SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                             OFFICE OF INSPECTOR GENERAL\n\n\n\n                            Background and Objectives\n\nBackground\nBecause of their portability, ease of concealment, and the sensitivity of the information\nthey often contain, laptop computers (laptops) are at risk of loss and theft and must be\nproperly safeguarded and accounted for. To support the agency\xe2\x80\x99s mission, employees\nand contractors of the U.S. Securities and Exchange Commission (SEC) use laptops \xe2\x80\x93\nsome of which process and store nonpublic information1 \xe2\x80\x93 in their offices, at alternate\nwork locations, and while on official travel. According to the SEC\xe2\x80\x99s Information\nTechnology Service Management (ITSM) system, as of April 1, 2014, the agency\xe2\x80\x99s\ninformation technology (IT) inventory included a total of 5,525 laptops distributed to\nusers at the SEC\xe2\x80\x99s headquarters in Washington, D.C., its Operations Center (which the\nSEC closed in October 2013),2 its 11 regional offices,3 and its 2 data centers. Table 1\ndescribes the purported distribution of these laptops.\n\n                       Table 1. Distribution of SEC Laptops by Location\n                                                    Number of          Percentage of\n                           SEC Location              Laptops               Total\n\n                            Headquarters                    2,795              50.59%\n\n                          Operations Center                  921               16.67%\n\n                           Regional Offices                 1,726              31.24%\n\n                            Data Centers                        2                   .04%\n\n                             No Location\n                                         4\n                              Identified                      81                1.47%\n                                                                                        a\n                                         Total              5,525            100.01%\n                       Source: The SEC\xe2\x80\x99s ITSM system as of April 1, 2014.\n                       a\n                         The total percentage does not equal 100 due to rounding.\n\n\n\n1\n SEC Administrative Regulation SECR 23-2a, Safeguarding Non-Public Information, January 21, 2000,\ndefines nonpublic information as \xe2\x80\x9cinformation generated by or in the possession of the SEC that is\ncommercially valuable, market sensitive, proprietary, related to an enforcement or examination matter,\nsubject to privilege, or otherwise deemed non-public by a division director or office head, and not\notherwise available to the public.\xe2\x80\x9d\n2\n In October 2013, the SEC closed the Operations Center located in Alexandria, Virginia, and moved\npersonnel and the assets assigned to those personnel, including laptops, to the agency\xe2\x80\x99s headquarters.\n3\n The SEC\xe2\x80\x99s regional offices are located in Atlanta, Boston, Chicago, Denver, Fort Worth, Los Angeles,\nMiami, New York, Philadelphia, Salt Lake City, and San Francisco.\n4\n    The SEC\xe2\x80\x99s ITSM system did not include a physical location for these 81 laptops.\n\n\n\n\nREPORT NO. 524                                          1                                    SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                  OFFICE OF INSPECTOR GENERAL\n\n\nIn March 2008, the Office of Inspector General (OIG) reported that the SEC did not\neffectively account for laptops. As stated in Inspection Report No. 441, Controls Over\nLaptops, we found that the SEC\xe2\x80\x99s property management guidance did not identify\nlaptops as sensitive property,5 and the SEC\xe2\x80\x99s Office of Information Technology (OIT)\nhad not performed an SEC-wide baseline inventory of laptops since 2003. Because\nthere was no baseline inventory, the OIG was unable to trace custody of laptops to\nspecific individuals. As a result, we made five recommendations to strengthen controls\nover the SEC\xe2\x80\x99s laptop inventory. Management concurred with the recommendations\nand implemented corrective actions, including designating laptops as sensitive property\nand developing a methodology for accounting for sensitive property such as laptops.6\nHowever, in August 2013, the OIG began investigating reports of stolen SEC laptops\nand identified inaccurate inventory records.\n\nFederal Guidance. The Office of Management and Budget (OMB) Circular A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control, establishes guidance for internal\ncontrol in Federal agencies. According to the Circular, Federal managers are\nresponsible for establishing and maintaining internal control to achieve the objectives of\n(1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance\nwith applicable laws and regulations. The safeguarding of assets is a subset of these\nobjectives. Specifically, Federal managers should design controls to provide\nreasonable assurance of preventing or promptly detecting unauthorized acquisition,\nuse, or disposition of assets.7 Therefore, the SEC\xe2\x80\x99s controls over laptops should be\ndesigned to provide reasonable assurance that laptops support the agency\xe2\x80\x99s mission\nand are safeguarded throughout their lifecycles.\n\nSEC Administrative Regulations, Policies, and Procedures. Various SEC property\nmanagement and IT administrative regulations, policies, and procedures address\ncontrols over the agency\xe2\x80\x99s laptops. The documents establish roles and responsibilities\nfor laptop inventory management and describe the agency\xe2\x80\x99s asset management\ninformation systems. The agency\xe2\x80\x99s primary property management directive is SEC\nAdministrative Regulation SECR 09-02, Revision (Rev.) 1, Property Management\nProgram (SECR 09-02), which designates laptops as sensitive property. Additional\npolicies and procedures that establish controls over laptops and asset management\ninclude, but are not limited to, the following:\n\n\n\n\n5\n  According to SEC Administrative Regulation SECR 09-02, Revision 1, Property Management Program,\nSeptember 11, 2012, the SEC defines \xe2\x80\x9csensitive property\xe2\x80\x9d as \xe2\x80\x9citems designated by [Office of Information\nTechnology] Information Security to have characteristics deemed sensitive from a data perspective and\nvital to continued operations and, if lost, could negatively affect the agency\xe2\x80\x99s image.\xe2\x80\x9d\n6\n U.S. Securities and Exchange Commission, Office of Inspector General, Inspection Report No. 441,\nControls Over Laptops, March 31, 2008. The report can be accessed at:\nhttp://www.sec.gov/oig/reportspubs/ir441.pdf.\n7\n OMB Circular A-123 Revised, Management\xe2\x80\x99s Responsibility for Internal Control, December 21, 2004,\nAttachment pp. 6 and 7.\n\n\n\n\nREPORT NO. 524                                     2                                SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                  OFFICE OF INSPECTOR GENERAL\n\n\n      \xef\x82\xb7   SEC ISS-AM-PD-0022, AMB Receiving Procedure (Draft), July 12, 2013;\n\n      \xef\x82\xb7   SEC ISS-AM-PD-0022, Maintenance, Repair, and Return Material Authorization\n          Procedure (Draft), July 29, 2013; and\n\n      \xef\x82\xb7   SEC OIT, Security Operations, SEC Incident Response Capability Handbook,\n          April 2014.\n\nAppendix II lists other relevant SEC policies and procedures.\n\n       Roles and Responsibilities. According to the SEC\xe2\x80\x99s regulations, policies, and\nprocedures, several offices within the OIT share responsibility for maintaining\naccountability for the agency\xe2\x80\x99s laptops. These offices include the OIT\xe2\x80\x99s Asset\nManagement Branch (AMB), the Computer Security Incident Response Center\n(CSIRC), and the Service Desk. The AMB is responsible for receiving physical assets\nincluding laptops, updating the SEC\xe2\x80\x99s inventory records, and ensuring that laptops are\nmanaged according to sensitive property requirements.8 The CSIRC is responsible for\nresponding to information system security incidents such as reports of lost or stolen\nlaptops.9 And the Service Desk is responsible for collecting requests for additional IT\nassets including laptops and updating the ITSM system.10\n\n        SEC directors, office heads, and regional office IT Specialists are also\nresponsible for maintaining accountability for laptops. Specifically, directors and office\nheads are responsible for maintaining control over property assigned to their respective\norganizations, including sensitive property such as laptops.11 Regional office IT\nSpecialists are responsible for the shipment, receipt, and distribution of IT assets\n(including laptops) returned for maintenance as well as for notifying the AMB of their\nactions and updating the ITSM system accordingly.12 SEC employees and contractor\nstaff are responsible for ensuring the proper use, care, and protection of all personal\nproperty (including laptops) in their possession, and for reporting immediately to\nsupervisors any personal property that is lost, missing, damaged, or destroyed.13\n\n        Asset Management Information Systems Used to Track Laptops. In addition to\nassigning roles and responsibilities, SEC policies and procedures describe the following\nsystems used for asset management: the ITSM system, RF Code\xe2\x84\xa2, and Computrace\xc2\xae.\nThese systems are used to collect and track data such as a laptop\xe2\x80\x99s asset tag number,\nserial number, manufacturer, location, and assigned employee, and can assist in\nlocating lost or stolen assets. Collectively, each laptop\xe2\x80\x99s asset tag number, serial\n8\n    SEC ISS-AM-PD-0022, p. 2, and SECR 09-02, Section 1-6 N.2, p. 12 and Section 6-2 E, p. 31.\n9\n  Securities and Exchange Commission, Office of Information Technology, Security Operations, SEC\nIncident Response Capability Handbook, April 2014, p. 1.\n10\n     SECR 09-02, Section 1-5, p. 6, and Section 2-4 A, p. 16.\n11\n     SECR 09-02, Section 1-6 F, p. 8, and Section 6-2 E.1, p. 31.\n12\n     SEC ISS-AM-PD-0022, p. 2.\n13\n     SECR 09-02, Section 1-6 P, p. 14.\n\n\n\n\nREPORT NO. 524                                        3                            SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\nnumber, and RF Code\xe2\x84\xa2 create a unique identifier that is used to track the asset\nthroughout its lifecycle.\n\nThe ITSM system is considered the SEC\xe2\x80\x99s IT inventory management system 14 and\nprimary mechanism for ensuring accountability for the agency\xe2\x80\x99s IT assets, including\nlaptops. The system contains a record of each SEC IT asset with a purchase price\ngreater than $350. The system includes a subcomponent called the Configuration\nManagement Database, which is used to baseline and manage the inventory of all IT\nassets, including laptops. It also has an IT ticketing component that the OIT\xe2\x80\x99s Service\nDesk uses to request maintenance and repair of IT assets and to track assets when\nchanges in custody occur during the lifecycle of the asset.15\n\nThe SEC also uses RF Code\xe2\x84\xa2 and Computrace\xc2\xae to manage and track IT assets such\nas laptops. These two systems play key roles in locating lost or stolen laptops. RF\nCode\xe2\x84\xa2 is comprised of radio frequency identification (RFID) transmitters, RFID readers,\nand a database. Before entering laptops in the SEC\xe2\x80\x99s inventory, OIT staff mount an\nRFID transmitter on each asset. Staff then enter each laptop\xe2\x80\x99s unique identifier into the\nRF Code\xe2\x84\xa2 database along with the unique tag number from the assigned RFID\ntransmitter. RFID readers located throughout the SEC\xe2\x80\x99s headquarters and regional\noffices read the active transmissions from the laptops\xe2\x80\x99 RFID transmitters, thereby\nproviding real-time location information about the laptops within each SEC facility.\n\nComputrace\xc2\xae is also installed on a laptop before it is issued to an end user. When a\nuser logs into an internet service provider, the Computrace\xc2\xae software will report to the\nSEC the user\xe2\x80\x99s identification and the laptop\xe2\x80\x99s location. Computrace\xc2\xae complements RF\nCode\xe2\x84\xa2 by providing real-time position and user information for laptops outside of the\nSEC\xe2\x80\x99s facilities and, therefore, outside the range of the RFID readers. During our\ntesting of the accuracy and completeness of the ITSM system, we were able to locate\nseveral laptops with RF Code\xe2\x84\xa2 and Computrace\xc2\xae that we could not locate using the\nITSM system alone.\n\nLifecycle of an SEC Laptop. SEC laptops pass through several stages from initial\nreceipt from a manufacturer to disposal. The figure below illustrates each stage, the\nnecessary inventory updates that should occur during each stage, the types of\ninformation that should be collected, the system(s) that should be updated, and the\noffice responsible for completing the updates.\n\n\n\n\n14\n     SECR 09-02, Section 1-5, p. 6.\n15\n     SECR 09-02, p. 6.\n\n\n\n\nREPORT NO. 524                              4                           SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                                                                              OFFICE OF INSPECTOR GENERAL\n\n\nFigure. Lifecycle of an SEC Laptop\n\nResponsible Office:          AMB                       AMB                       AMB                    Service Desk/Regional IT Specialist              AMB\n\n\n\n\n                        Receive laptops from                                                              Service Desk or regional             At the end of its useful\n                       the manufacturer and                            Issue laptop to Service                                                    life, the laptop is\n                                               Laptops are stored in                                       IT Specialist issue the\n                          add them to the                                Desk or regional IT                                                   scheduled for disposal\n                                                  the warehouse                                            laptop to an end-user\n                             inventory                                        Specialist\n     Lifecycle Stage\n\n\n\n\n                                                                          Computrace\xc2\xae is            The released laptop has a status\n                            Affix laptop\n                                                                          installed prior to         change (new end-user, repair,\n                           tracking tags\n                                                                            releasing the                  change in location,\n                                                                               laptop                      maintenance, etc.)\n\n\n\n                                                                                                         Service Desk or regional IT\n                                                                                                        Specialist updates the asset\n                                                                                                         record in the inventory to\n                                                                                                         reflect the status change.\n     Data Collected\n\n\n\n\n                          Numbers from                                                                                                             Tracking tags\n                          the OIT/Asset              Laptop                     Laptop                              End user\xe2\x80\x99s                  numbers, end user\xe2\x80\x99s\n                           tag and the              location                   location                             name and                    name and location,\n                              RFID                information                information                             location                    and Computrace\xc2\xae\n                           transmitter                                                                                                                license\n\n\n\n\n                                                                                                                                                    Information\n   OIT Systems\n\n\n\n\n                         Information\n                                                 Information              Information                             Information\n    Updated\n\n\n\n\n                         Technology                                                                                                              Technology Service\n                                                 Technology            Technology Service                         Technology                      Management,RF\n                            Service\n                                                    Service             Management and                               Service                        Code\xe2\x84\xa2, and\n                        Management\n                                                 Management              Computrace\xc2\xae                              Management                       Computrace\xc2\xae\n                        and RF Code\xe2\x84\xa2\n\n\n\n\nSource: OIG generated. Legend: Process                                 Sub-process               Data             Database\n\n\n\n\nREPORT NO. 524                                                                           5                                                    SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\n\nObjectives\nOur objective was to evaluate the effectiveness of the SEC\xe2\x80\x99s IT inventory program and\nits controls over laptops. Specifically, we sought to\n\n   \xef\x82\xb7   determine whether the OIT had established policies, procedures, and supporting\n       documentation to properly identify, track, and safeguard the SEC\xe2\x80\x99s laptops\n       throughout their lifecycles;\n\n   \xef\x82\xb7   evaluate the SEC\xe2\x80\x99s procedures for receiving laptops and adding them to the IT\n       inventory;\n\n   \xef\x82\xb7   evaluate the SEC\xe2\x80\x99s procedures for updating the status of laptops in the IT\n       inventory;\n\n   \xef\x82\xb7   evaluate the SEC\xe2\x80\x99s procedures for reporting lost or stolen laptops;\n\n   \xef\x82\xb7   assess the IT controls over the information systems used to track laptops; and\n\n   \xef\x82\xb7   evaluate whether the SEC effectively addressed prior recommendations for\n       corrective action from the OIG\xe2\x80\x99s Inspection Report No. 441, Controls Over\n       Laptops.\n\nTo accomplish our objectives, we selected from the SEC\xe2\x80\x99s IT inventory a statistical\nsample of 244 laptops. We also selected a judgmental sample of an additional\n244 laptops, for a total of 488 laptops reviewed. We chose to select assets assigned to\nthe SEC\xe2\x80\x99s headquarters and 3 of its 11 regional offices: the Atlanta Regional Office\n(ARO), the Denver Regional Office (DRO), and the New York Regional Office (NYRO).\nAccording to the ITSM system, there were a total of 3,601 laptops assigned to these\nlocations, or about 65 percent of the SEC\xe2\x80\x99s total population of 5,525 laptops as of\nApril 1, 2014.\n\nAppendices I and II include additional information on our scope and methodology;\nreview of internal controls; sampling methodology; prior coverage; and the applicable\nFederal laws and guidance and SEC regulations, policies, and procedures.\n\n\n\n\nREPORT NO. 524                              6                           SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                     OFFICE OF INSPECTOR GENERAL\n\n\n\n                                              Results\n\nFinding 1: The SEC\xe2\x80\x99s Laptop Inventory Controls Need\nImprovement\nTo ensure that assets are properly safeguarded, OMB Circular A-123 requires Federal\nmanagers to establish controls that provide reasonable assurance of preventing or\npromptly detecting unauthorized acquisition, use, or disposition of assets.16 We\ndetermined that the SEC had addressed the OIG\xe2\x80\x99s prior recommendations about laptop\naccountability. In addition, the agency has policies, procedures, and IT systems for\nidentifying, tracking, and safeguarding sensitive property, including laptops, throughout\ntheir lifecycles. The procedures include controls for receiving laptops, maintaining\ninventory records, and reporting lost or stolen laptops. Finally, the SEC\xe2\x80\x99s primary\nmechanism for ensuring accountability for its laptops is the ITSM system. However, we\nidentified needed improvements in the SEC\xe2\x80\x99s IT inventory program and controls over its\nlaptops. Specifically, we determined the following:\n\n      \xef\x82\xb7   The SEC\xe2\x80\x99s IT inventory contained incorrect information for a significant number\n          of laptops. For example, OIT management decided not to update the inventory\n          to reflect the correct location of 921 laptops that had been located at the\n          Operations Center, which the SEC closed in October 2013. OIT plans to update\n          the location information for these assets when the ongoing agencywide inventory\n          is complete. The inventory also did not specify a location for another 81 laptops.\n          Finally, the inventory included incorrect location information for 82 (or about\n          17 percent) of the 488 laptops we reviewed and incorrect user information for\n          105 (or about 22 percent) of the 488 laptops we reviewed.\n\n      \xef\x82\xb7   Twenty-four laptops included in the inventory and selected for review could not\n          be accounted for.17\n\n      \xef\x82\xb7   The SEC\xe2\x80\x99s procedures for sharing information about lost or stolen laptops were\n          inadequate.\n\nThese weaknesses existed because personnel did not always understand their roles\nand responsibilities; and related policies and procedures were inadequate, had not been\neffectively communicated to regional office personnel, and were not consistently\nfollowed. As a result of our testing, we questioned the reliability of the SEC\xe2\x80\x99s IT\ninventory and estimated that it may reflect incorrect location and/or user information for\nover 1,000 laptops, or nearly one-third of the 3,601 assets assigned to the locations we\nreviewed. Furthermore, we estimated that as many as 202 laptops assigned to the\n\n16\n     OMB Circular A-123, p. 7.\n17\n  We considered a laptop \xe2\x80\x9caccounted for\xe2\x80\x9d if: (1) we physically observed the laptop; (2) the person in\npossession of the laptop provided correct identifying information by email; or (3) an SF-120, Report of\nExcess Personal Property, was provided for the laptop.\n\n\n\n\nREPORT NO. 524                                       7                                SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                    OFFICE OF INSPECTOR GENERAL\n\n\nlocations we reviewed may be unaccounted for. By not ensuring that inventory records\nare accurate and that all laptops are accounted for, the SEC may be unaware of lost or\nstolen laptops. In the event that lost, stolen, or otherwise unaccounted-for laptops are\nnot protected by encryption software, which we reported as a finding in our May 2014\nReview of the SEC\xe2\x80\x99s Practices for Sanitizing Digital Information System Media (Report\nNo. 521), the SEC is at risk for the unauthorized release of sensitive, nonpublic\ninformation.\n\nThe SEC\xe2\x80\x99s IT Inventory Contained Incorrect Information. According to SEC policy,\nAMB and IT Service Desk personnel update the SEC\xe2\x80\x99s IT inventory,18 and ensure that\nlaptops are managed according to sensitive property requirements. Regional office IT\nSpecialists are also responsible for keeping the AMB informed and updating the ITSM\nsystem. We determined that AMB staff received laptops and added them to the\ninventory.19 However, we reviewed the SEC\xe2\x80\x99s inventory records and selected a\nstatistical sample of 244 laptops and a judgmental sample of an additional 244 laptops\n(for a total of 488 laptops reviewed)20 and determined that SEC personnel had not\nensured that the inventory contained accurate information.\n\nFor example, 921 laptops in the inventory were reported as assigned to the SEC\xe2\x80\x99s\nOperations Centers, which the SEC closed in October 2013. When asked why assets\nwere still assigned to the Operations Center although they had been moved to the\nSEC\xe2\x80\x99s headquarters or other facilities, AMB personnel stated that OIT management\ndecided not to update the assets\xe2\x80\x99 location in the ITSM system until personnel complete\nthe agencywide inventory initiated in April 2014. The inventory is expected to be\ncomplete by the end of 2014. We also noted that the inventory did not specify a\nlocation for another 81 laptops.\n\nIn addition, we determined that the inventory included incorrect location information for\n82 (or about 17 percent) of the 488 laptops included in our sample. Of the 82 laptops\nwe reviewed with incorrect location information, 34 were identified through statistical\nsampling methods, as shown in Table 2, and the remaining 48 were identified through\njudgmental sampling, as shown in Table 3. In some instances, the discrepancies were\n\n18\n   SECR 09-02 4-8 OIT Inventory Procedures states, \xe2\x80\x9cThe AMB Branch Chief shall prescribe the\nfrequency and types of inventories to be performed.\xe2\x80\x9d AMB staff told us that IT Service Desk personnel\nupdate inventory records, including the records for laptops, when the status of each asset changes (i.e.,\nwhen the asset is released to a user, disposed of, etc.). In addition, the AMB performs biennially\ninventories and updates the ITSM system as necessary at that time.\n19\n  To assess the AMB\xe2\x80\x99s controls over receiving laptops and adding them to the ITSM inventory, we\nselected a judgmental sample of 30 laptops received as recorded in the AMB\xe2\x80\x99s receiving log and\ncompared supporting information to the ITSM inventory and found no exceptions. We also noted that\nreceiving operations are witnessed by security personnel.\n20\n  We selected the statistical sample from the SEC\xe2\x80\x99s inventory records and visited the SEC\xe2\x80\x99s\nheadquarters, the ARO, the DRO, and the NYRO to verify each asset\xe2\x80\x99s existence and the accuracy of the\nrecorded information (referred to as existence testing). While performing existence testing, we\njudgmentally selected laptops found at each location and traced them back to the inventory records to\ndetermine whether the records were accurate and complete (referred to as completeness testing).\nAppendix I further describes our sampling methodology.\n\n\n\n\nREPORT NO. 524                                       8                                SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                    OFFICE OF INSPECTOR GENERAL\n\n\na matter of wrong room numbers in the same building. In others, the assets were found\nin different SEC facilities. For example, according to the inventory, one laptop should\nhave been located at the SEC\xe2\x80\x99s headquarters but was found in the Chicago Regional\nOffice. Another laptop that should have been located at the NYRO was found at the\nSEC\xe2\x80\x99s headquarters.\n\nWe also determined that end user information included in the inventory was incorrect for\na total of 105 of the 488 laptops included in our sample (or about 22 percent). As\nshown in Tables 2 and 3, respectively, 50 of the laptops with incorrect end user\ninformation were identified through statistical sampling methods and another 55 were\nidentified through judgmental sampling. For example, in one instance the inventory\nshowed that a laptop was \xe2\x80\x9cReleased to customer\xe2\x80\x9d although it had been slated for\ndisposal.\n\nIn some cases, both location and user information were incorrect.21 For example, the\ninventory showed that one laptop was assigned to a user at the NYRO. However, using\nthe SEC\xe2\x80\x99s employee directory and Computrace\xc2\xae, we determined that both the user and\nthe laptop were at the Miami Regional Office, and the laptop had been assigned to\nanother user.\n\nFinally, in at least one case, the basic asset information included in the SEC\xe2\x80\x99s inventory\nwas incorrect. The laptop was assigned to a user at the SEC\xe2\x80\x99s headquarters but was\nincorrectly identified in the ITSM system as a monitor.\n\nBecause of the inaccuracy of the agency\xe2\x80\x99s IT inventory records, time-consuming and\nextraordinary efforts were required to locate or account for some laptops in our review.\nStaff had to examine local inventory records, search through boxes and storage areas\ncontaining laptops scheduled for disposal, and request tracking using RF Code \xe2\x84\xa2 and\nComputrace\xc2\xae. In addition, when we projected the results of our statistical sample to the\ntotal population of the sample, as shown in Table 2, we estimated that the SEC\xe2\x80\x99s IT\ninventory may reflect incorrect location and/or user information for over 1,000 laptops,\nor nearly one-third of the 3,601 assets assigned to the locations we reviewed. Although\nwe cannot project the results of our judgmental sample, shown in Table 3, we believe\nthe testing results support the conclusion that the SEC\xe2\x80\x99s IT inventory records contained\ninaccurate information.\n\n\n\n\n21\n   We determined that the inventory records included both incorrect location information and incorrect\nuser information for 6 of the sampled laptops from the SEC\xe2\x80\x99s headquarters, 15 of the sampled laptops\nfrom the ARO, 2 of the sampled laptops for the DRO, and 8 of the sampled laptops for the NYRO.\n\n\n\n\nREPORT NO. 524                                      9                                SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                    OFFICE OF INSPECTOR GENERAL\n\n\nTable 2. Statistical Sampling: Summary of Existence Testing Results and\nProjections of Incorrect IT Inventory Information by Location\n                    Number of Sampled\n                                              Statistical                                    Projection\n        SEC           Laptops with                          Percentage      Population\n                                               Sample                                            to\n      Location           Incorrect                           Incorrect        Size\n                                                 Size                                       Population22\n                       Information\n                    Incorrect\n                                       13                      17.56%                            491\n                    Location\n     Headquarters                                 74                            2,795\n                    Incorrect End\n                                       12                      16.21%                            453\n                    User\n\n                    Incorrect\n                                       12                      21.42%                               26\n                    Location\n        ARO                                       56                             120\n                    Incorrect End\n                                       21                      37.50%                               45\n                    User\n\n                    Incorrect\n                                        8                      15.38%                               18\n                    Location\n        DRO                                       52                             118\n                    Incorrect End\n                                        4                       7.69%                                 9\n                    User\n\n                    Incorrect\n                                        1                       1.61%                                 9\n                    Location\n        NYRO                                      62                             568\n                    Incorrect End\n                                       13                      20.97%                            119\n                    User\n\n                    Total with\n                    Incorrect\n                    Location           34                                                        544\n                    Information\n        Total                                     244                           3,601\n                    Total with\n                    Incorrect End\n                    User               50                                                        626\n                    Information\nSource: OIG generated.\n\n\n\n22\n  We are 90 percent confident that the number of laptops with incorrect location information at the\nlocations reviewed is as follows:\n    - between 455 (lower limit) and 527 (upper limit) for the SEC\xe2\x80\x99s headquarters;\n    - between 24 (lower limit) and 28 (upper limit) for the ARO;\n    - between 17 (lower limit) and 19 (upper limit) for the DRO; and\n    - between 8 (lower limit) and 10 (upper limit) for the NYRO.\nWe are 90 percent confident that the number of laptops with incorrect end user information at the\nlocations reviewed is as follows:\n    - between 421 (lower limit) and 485 (upper limit) for the SEC\xe2\x80\x99s headquarters;\n    - between 40 (lower limit) and 50 (upper limit) for the ARO;\n    - between 8 (lower limit) and 10 (upper limit) for the DRO; and\n    - between 109 (lower limit) and 129 (upper limit) for the NYRO.\n\n\n\n\nREPORT NO. 524                                      10                                 SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                             OFFICE OF INSPECTOR GENERAL\n\n\n      Table 3. Judgmental Sampling: Summary of Completeness Testing Results\n      and Incorrect IT Inventory Information by Location\n                                                           Judgmental\n                          Number of Sampled Laptops                       Percentage\n       SEC Location                                          Sample\n                           with Incorrect Information                      Incorrect\n                                                              Size\n                          Incorrect Location          17                     22.97%\n        Headquarters                                           74\n                          Incorrect End User          6                      8.11%\n\n                          Incorrect Location          21                     37.50%\n            ARO                                                56\n                          Incorrect End User          23                     41.07%\n\n                          Incorrect Location          1                      1.92%\n            DRO                                                52\n                          Incorrect End User          4                      7.69%\n\n                          Incorrect Location          9                      14.52%\n            NYRO                                               62\n                          Incorrect End User          22                     35.48%\n\n                          Total with Incorrect\n                                                      48\n                          Location\n            Total                                             244\n                          Total with Incorrect\n                                                      55\n                          End User\n      Source: OIG generated.\n\nSome Laptops Could Not Be Accounted For. Although most of the 244 laptops from\nour statistical sample and existence testing procedures were found, 24 could not be\nlocated, including 11 from the ARO and 8 from the DRO. The 19 assets from the ARO\nand DRO were reported to have been returned to the SEC\xe2\x80\x99s headquarters for disposal;\nhowever, OIT personnel in headquarters could not find the laptops or provide an SF-\n120, Report of Excess Personal Property, showing that the laptops had been disposed\nof. When asked about these 24 laptops, OIT officials stated that they are conducting a\nbiennial IT inventory throughout the SEC regional offices and headquarters. The\ninventory is expected to be completed by the end of 2014. OIT personnel stated that\nthis ongoing agencywide inventory will enable them to locate assets that are not on-line\nand cannot be discovered electronically.\n\nBased on the results of our testing, we estimated that as many as 202 laptops assigned\nto the locations we reviewed may be unaccounted for. Table 4 summarizes and\nprojects the unaccounted-for laptops in our statistical sample by location.\n\n\n\n\nREPORT NO. 524                                   11                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                     OFFICE OF INSPECTOR GENERAL\n\n\nTable 4. Statistical Sampling: Summary and Projections of Unaccounted-for\nLaptops by Location\n                     Number of\n                      Sampled           Statistical         Percentage\n        SEC                                                                 Population       Projection to\n                      Laptops            Sample            Unaccounted\n      Location                                                                 Size          Population23\n                    Unaccounted            Size                 for\n                        for\n     Headquarters          4                74                5.41%            2,795              151\n\n        ARO               11                56               19.64%             120                24\n\n        DRO                8                52               15.38%             118                18\n\n        NYRO               1                62                1.61%             568                 9\n\n        Total             24                244                                3,601              202\nSource: OIG generated.\n\nIn addition to identifying 24 laptops that were unaccounted for during our existence\ntesting, we also found during our completeness testing 4 laptops (1 at each SEC facility\nreviewed) in the custody of end users, although the assets were not recorded in the\nITSM system.\n\nProcedures for Sharing Information About Lost or Stolen Laptops Were\nInadequate. We interviewed CSIRC staff and determined that, when a laptop is lost or\nstolen, the SEC\xe2\x80\x99s procedures require end users to complete a Lost/Theft form and\nreport the loss or theft to either the OIT or the designated IT Specialist. CSIRC\npersonnel then notify SEC senior management and the Department of Homeland\nSecurity of a possible release of personally identifiable information, if appropriate.24\nSubsequently, as part of their incident tracking and reporting process, CSIRC personnel\nmaintain information in their own incident management system, called ARCHER, and\nnotify AMB personnel of the lost or stolen device. However, CSIRC staff stated that\nthey do not have access to the RF Code\xe2\x84\xa2 or Computrace\xc2\xae systems for tracking,\nlocating, and recovering laptops, which may hinder their ability to respond to reports of\nlost or stolen laptops. In addition, they are not responsible for updating ITSM.\n\n\n23\n   We are 90 percent confident the number of unaccounted-for laptops at the locations reviewed is as\nfollows:\n     - between 144 (lower limit) and 158 (upper limit) for the SEC\xe2\x80\x99s headquarters;\n     - between 22 (lower limit) and 26 (upper limit) for the ARO;\n     - between 17 (lower limit) and 19 (upper limit) for the DRO; and\n     - between 8 (lower limit) and 10 (upper limit) for the NYRO.\n24\n   According to the Department of Homeland Security, when an individual gains logical or physical\naccess, without permission, to a Federal agency network, system, application, data, or other resource\n(i.e., a laptop) the Department must be notified within 1 hour of discovery or detection. Agencies notify\nthe Department of Homeland Security through the United States Computer Emergency Readiness\nTeam\xe2\x80\x99s web-based system.\n\n\n\n\nREPORT NO. 524                                        12                               SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                               OFFICE OF INSPECTOR GENERAL\n\n\nTo verify internal reporting to the AMB, we requested a list of lost or stolen items\nreported to the CSIRC between October 1, 2011, and March 31, 2014. Eighteen of the\nreported incidents involved laptops. AMB staff confirmed that they were notified of the\n18 incidents; however, they could not determine whether 14 of the 18 laptops had been\nrecovered because CSIRC personnel did not provide an updated status of the laptops.\nAdditionally, AMB staff stated that they can flag an asset in the ITSM system as lost or\nstolen, but they do not know if a regional office user has been issued a new laptop. We\nconcluded that CSIRC and AMB personnel do not always share information or\nperiodically reconcile their separate inventories to ensure that (1) all responsible parties\nknow the status of laptops that are reported as lost or stolen, and (2) the IT inventory is\nas accurate as possible.\n\nLack of Clear Roles and Responsibilities, Adequate Policies and Procedures, and\nEffective Communication of the Agency\xe2\x80\x99s Approach to IT Inventory Management\n\nThe weaknesses that we observed existed, in part, because the OIT\xe2\x80\x99s policies and\nprocedures did not clearly define roles and responsibilities to ensure that the laptop\ninventory (or the IT inventory in general) is consistently updated with current and correct\ninformation. Further, OIT policies and procedures had not been effectively\ncommunicated to the responsible parties, including staff located in the regional offices,\nand are not consistently followed throughout each asset\xe2\x80\x99s lifecycle.\n\nWhile the SEC\xe2\x80\x99s policies and procedures identify roles and responsibilities for laptop\ninventory management, our fieldwork found inconsistencies with SEC Administrative\nRegulation, SECR 09-02. This regulation states that accountability for laptops is\ndelegated to directors and office heads with the AMB providing general oversight.\nHowever, we found that accountability for laptops is centralized within the AMB, with the\nService Desk and IT Specialists supporting the AMB\xe2\x80\x99s accountability efforts.\nAdditionally, although the AMB has developed 11 different operating procedures about\naccountability for IT assets (including laptops),25 only 6 of the 11 procedures contain\nguidance on roles and responsibilities for updating the ITSM system, and we\ndetermined that such guidance was often unclear. For example, the Maintenance,\nRepair, and Return Material Authorization Procedure does not specifically describe the\nobjective of the AMB or state the fields within the ITSM system that should be updated.\n\nTo gain a complete understanding of the SEC\xe2\x80\x99s roles and responsibilities for updating\nthe agency\xe2\x80\x99s IT inventory, we interviewed personnel from the AMB, the Service Desk,\nthe CSIRC, directors and office heads, and the IT Specialists located at the SEC\xe2\x80\x99s\nheadquarters and regional offices. These discussions were necessary because the\nagency\xe2\x80\x99s written operating procedures did not sufficiently establish the roles and\nresponsibilities in practice across the agency.\n\nIn addition, during our visits to the ARO, DRO, and NYRO, we inquired about the\npolicies and procedures that the regional office IT Specialists use to account for assets\n\n25\n  See Appendix II. Federal Laws and Guidance and SEC Administrative Regulations, Policies, and\nProcedures.\n\n\n\n\nREPORT NO. 524                                  13                              SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                           OFFICE OF INSPECTOR GENERAL\n\n\nand to maintain control over their office\xe2\x80\x99s laptop inventory. None of the five IT\nSpecialists in the three regional offices that we visited were aware of the agency\xe2\x80\x99s\nwritten requirements for IT asset management or inventory control, including SECR 09-\n02. Although we were informed by OIT staff at the SEC\xe2\x80\x99s headquarters that regional IT\nSpecialists are responsible to know and adhere to these policies and procedures, the\nSpecialists informed us that they follow their own procedures for tracking laptops\nthroughout their lifecycles. Finally, although regional IT Specialists manage their\noffice\xe2\x80\x99s IT asset inventories, they are primarily concerned with minimizing down-time for\nlocal users. Two of the regional IT Specialists that we interviewed said they never\nupdated the ITSM system. The remaining three regional IT Specialists that we\ninterviewed informed us that they updated the system only when an asset\xe2\x80\x99s status\nchange was permanent (i.e., when an individual was issued a new laptop). We also\nfound that regional IT Specialists performed local inventories and maintained their own\nsets of records that reflected changes in laptops\xe2\x80\x99 locations and end users. However,\nthey did not report such changes to AMB staff or ensure that the ITSM system was\nupdated.\n\nConclusion\nAlthough the SEC addressed the OIG\xe2\x80\x99s prior recommendations about laptop\naccountability and has policies and procedures for safeguarding laptops throughout\ntheir lifecycles, we identified needed improvements in both its IT inventory program and\nits controls over laptops. Inaccurate inventory records required personnel to engage in\ntime-consuming and extraordinary efforts to locate or account for the SEC\xe2\x80\x99s assets.\nStaff had to examine local inventory records, search through boxes and storage areas\ncontaining laptops scheduled for disposal, and request tracking using RF Code \xe2\x84\xa2 and\nComputrace\xc2\xae. While most laptops we reviewed were found, not all were accounted for.\nIn addition, we found that the ITSM system did not reflect the correct status of several\nlaptops, and several laptops were not included in the ITSM system or were incorrectly\nidentified in the system. As a result of our testing, we questioned the reliability of the\nSEC\xe2\x80\x99s IT inventory and estimated that the inventory reflected incorrect location and/or\nuser information for over 1,000 laptops, or nearly one-third of the 3,601 assets assigned\nto the locations we reviewed. Furthermore, we estimated that as many as 202 laptops\nassigned to the locations we reviewed may be unaccounted for. The IT inventory was\nalso unreliable because of inadequate follow-through and sharing of information about\nlost or stolen laptops. Specifically, AMB staff were unable to provide the current status\nof certain laptops because of a lack of information from CSIRC personnel.\n\nBy not ensuring that inventory records are accurate and that all laptops are accounted-\nfor, the SEC is not consistently safeguarding sensitive assets and may be unaware of\nlaptops that have been lost or stolen. In addition to losing the asset itself, lost, stolen,\nor otherwise unaccounted-for laptops that are not protected by encryption software\ncreate a risk for unauthorized release of sensitive, nonpublic information. As we\nreported in our May 2014 Review of the SEC\xe2\x80\x99s Practices for Sanitizing Digital\n\n\n\n\nREPORT NO. 524                               14                            SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                   OFFICE OF INSPECTOR GENERAL\n\n\nInformation System Media (Report No. 521),26 laptop hard drives that were in use\nbetween 2010 and 2013 \xe2\x80\x93 after the agency began requiring full disk encryption27 \xe2\x80\x93 were\nnot encrypted and, in some cases, contained large amounts of nonpublic information,\nincluding personally identifiable information. Consequently, some of the laptops that are\ncurrently unaccounted for may have unencrypted hard drives. If they have been lost or\nstolen, the SEC\xe2\x80\x99s nonpublic information could be compromised.\n\nThe OIT is undertaking an agencywide IT inventory, which includes laptops, and\nexpects to complete the inventory by the end of 2014. While this is a good first step,\nadditional actions are needed to address the control weaknesses we observed and to\nensure that the SEC maintains an accurate laptop inventory in the future.\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\nManagement\xe2\x80\x99s Response\nTo improve the SEC\xe2\x80\x99s controls over laptops, the Office of Information Technology\nshould implement the following recommendations:\n\nRecommendation 1: Revise and communicate to all responsible parties, including\nregional office personnel, comprehensive procedures for maintaining inventories of\nlaptop computers, to include (a) clearly defined roles and responsibilities,\n(b) management\xe2\x80\x99s expectations for maintaining an accurate inventory, and (c) guidance\non when inventory updates are required.\n\n     Management\xe2\x80\x99s Response. The Office of Information Technology concurred with\n     the recommendation and will review, revise as appropriate, and disseminate\n     enhanced policy and comprehensive procedures on property accountability and\n     reporting, with specific emphasis on controls associated with laptop computers.\n     Further, the Office will train responsible parties, including regional office personnel,\n     on property management recordkeeping requirements, timeframes, and procedures.\n     In addition, OIT will communicate expectations to all stakeholders regarding\n     maintaining accurate inventory records, and will conduct \xe2\x80\x9cspot check\xe2\x80\x9d reconciliations\n     of property records to laptop assets to assess compliance. Management\xe2\x80\x99s complete\n     response is reprinted in Appendix III.\n\n     OIG\xe2\x80\x99s Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions\n     are responsive; therefore, the recommendation is resolved and will be closed upon\n     verification of the action taken.\n\n\n\n26\n  U.S. Securities and Exchange Commission, Office of Inspector General, Report No. 521, Review of the\nSEC\xe2\x80\x99s Practices for Sanitizing Digital Information System Media, May 30, 2014. The report\xe2\x80\x99s executive\nsummary can be accessed at: http://www.sec.gov/oig/reportspubs/521.pdf.\n27\n   According to SEC OIT Implementing Instruction II 24-04.04.05 (01.1), Information Encryption within the\nSEC, April 6, 2010, the SEC requires full disk encryption on all laptop computers before they are issued\nto end users.\n\n\n\n\nREPORT NO. 524                                     15                                SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                      OFFICE OF INSPECTOR GENERAL\n\n\nRecommendation 2: Ensure that personnel in the Computer Security Incident\nResponse Center have the ability to search for and track unaccounted-for laptops using\navailable resources such as RF Code\xe2\x84\xa2 and Computrace\xc2\xae and that they provide to the\nOffice of Information Technology Asset Management Branch personnel periodic status\nupdates on laptops that have been reported lost or stolen so that the inventory can be\nupdated as necessary.\n\n   Management\xe2\x80\x99s Response. The Office of Information Technology concurred with\n   the recommendation and will address the theme of the recommendation as a\n   component of the corrective actions to address Recommendation 1. The Office\n   recognizes the need for more systematic information-sharing among appropriate\n   parties (such as the Computer Security Incident Response Center, Office of\n   Information Technology Asset Management Branch, Office of Support Operations\xe2\x80\x99\n   Office of Security Services, and OIG Office of Investigations) in the case of\n   potentially lost or stolen laptops. Management\xe2\x80\x99s complete response is reprinted in\n   Appendix III.\n\n   OIG\xe2\x80\x99s Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions\n   are responsive; therefore, the recommendation is resolved and will be closed upon\n   verification of the action taken.\n\nRecommendation 3: Complete its ongoing agencywide inventory. Based on the result\nof the agencywide inventory, promptly update its inventory system to ensure that all\nassets are included in the system accurately, and report to the Office of Information\nTechnology\xe2\x80\x99s Computer Security Incident Response Center unaccounted-for laptops.\n\n   Management\xe2\x80\x99s Response. The Office of Information Technology concurred with\n   the recommendation and, upon completion of the \xe2\x80\x9cwall-to-wall\xe2\x80\x9d inventory in October\n   2014, will update the inventory system as appropriate. Management\xe2\x80\x99s complete\n   response is reprinted in Appendix III.\n\n   OIG\xe2\x80\x99s Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions\n   are responsive; therefore, the recommendation is resolved and will be closed upon\n   verification of the action taken.\n\n\n\n\nREPORT NO. 524                            16                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                       OFFICE OF INSPECTOR GENERAL\n\n\n\nFinding 2: Lack of Segregation of Duties and Compensating\nControls in the ITSM System\nTo help prevent misappropriation of Federal assets, OMB Circular A-123 requires\nFederal managers to establish effective controls, such as segregation of duties.28\nContrary to this principle, at least 88 AMB employees and contractors that have access\nto and custody of laptops also have the ability to delete asset records from the ITSM\ninventory database.\n\nDuring our audit, we requested a list of user accounts and permissions for RF Code\xe2\x84\xa2,\nComputrace\xc2\xae, and the ITSM system. We determined that RF Code\xe2\x84\xa2 has one user and\nComputrace\xc2\xae had two users with permissions to add or delete assets from the systems.\nFurthermore, both systems included audit trails that record the activities of each user.\nHowever, we found that at least 88 AMB employees and contractors have the ability to\ndelete records from the ITSM system and have physical access to laptops. Additionally,\nthe ITSM system does not have an audit trail that tracks when an employee adds or\ndeletes an asset from the inventory database or otherwise modifies its status.\n\nAccording to AMB staff, the ITSM system automatically assigns delete rights to all users\ndesignated as system administrators and members of the AMB. AMB officials stated\nthat updating the system to reduce the number of users who can delete inventory\nrecords would not be practical since the OIT plans to replace the system in fiscal year\n2015.\n\nConclusion\nThe lack of segregation of duties and compensating controls in the ITSM system\ncreates opportunities for laptops to be misappropriated. For example, OIT personnel\nwho have permissions to delete assets from the ITSM system also have access to\nareas where laptops are stored. These individuals could simply take a laptop and\ndelete it from the inventory, without the knowledge of OIT management.\n\nRecommendation, Management\xe2\x80\x99s Response, and Evaluation of\nManagement\xe2\x80\x99s Response\nTo improve controls over the SEC\xe2\x80\x99s information technology inventory, the Office of\nInformation Technology should implement the following recommendation:\n\nRecommendation 4. Ensure that the system selected to replace the SEC\xe2\x80\x99s Information\nTechnology Service Management system includes segregation of duty controls,\nminimizes the number of user accounts that have permission to delete assets from the\ninventory, and includes an audit trail.\n\n\n\n28\n     OMB Circular A-123, p. 8.\n\n\n\n\nREPORT NO. 524                             17                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\n   Management\xe2\x80\x99s Response. The Office of Information Technology concurred with\n   the recommendation and is working with the Office of Acquisitions to procure an\n   equipment management tool. OIT expects to begin implementing the new system\n   early in fiscal year 2015. As the new tool is implemented, the Office of Information\n   Technology will ensure that it is configured to appropriately segregate duties, limit\n   ability to delete asset records to the minimal number of personnel required to\n   maintain accurate inventory records, and maintain an electronic audit trail of all\n   changes to property records. Management\xe2\x80\x99s complete response is reprinted in\n   Appendix III.\n\n   OIG\xe2\x80\x99s Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions\n   are responsive; therefore, the recommendation is resolved and will be closed upon\n   verification of the action taken.\n\n\n\n\nREPORT NO. 524                             18                           SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\n\n                 Appendix I. Scope and Methodology\n\nWe conducted this performance audit from April through September 2014 in accordance\nwith generally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nScope. The audit covered the period of October 1, 2011, to April 1, 2014, and\nconsisted of reviewing the SEC\xe2\x80\x99s laptop inventory, including samples of laptops\nassigned to the SEC\xe2\x80\x99s headquarters, the ARO, the DRO, and the NYRO. The scope\nalso included an assessment of the SEC's processes and selected supporting\ndocumentation. Specifically, the audit included a review of\n\n   \xef\x82\xb7   Federal guidance and agency policies and procedures for laptop computer\n       inventorying and accountability;\n\n   \xef\x82\xb7   relevant internal controls;\n\n   \xef\x82\xb7   the SEC\xe2\x80\x99s laptop inventory processes and organizational roles and\n       responsibilities;\n\n   \xef\x82\xb7   the accuracy and completeness of the agency\xe2\x80\x99s laptop inventory; and\n\n   \xef\x82\xb7   procedures for reporting and accounting for lost or stolen laptops.\n\nMethodology. To determine whether the OIT had established policies, procedures,\nand supporting documentation to properly identify, track, and safeguard the SEC\xe2\x80\x99s\nlaptops throughout their lifecycles, we obtained and reviewed relevant asset\nmanagement and information security laws, regulations, policies, and procedures. In\naddition, we conducted interviews with responsible officials at each location we\nreviewed to gain an understanding of the OIT\xe2\x80\x99s processes for maintaining control of\nlaptop computers.\n\nTo evaluate the SEC\xe2\x80\x99s procedures for receiving laptops and adding them to the IT\ninventory, we interviewed OIT personnel who were responsible for overseeing laptops.\nWe also toured the SEC headquarters\xe2\x80\x99 mailroom and loading dock areas where all SEC\nlaptops are received. Finally, we selected a judgmental sample of 30 laptops received\nas recorded in the AMB\xe2\x80\x99s receiving log and compared supporting information to the\nITSM inventory.\n\nTo evaluate the SEC\xe2\x80\x99s procedures for updating the status of laptops in the IT inventory\nand to assess the IT controls over information systems used to track laptops, we\n\n\n\n\nREPORT NO. 524                              19                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                      OFFICE OF INSPECTOR GENERAL\n\n\nperformed existence and completeness testing29 of the laptops distributed to the SEC\xe2\x80\x99s\nheadquarters, the ARO, the DRO, and NYRO. We developed and tested statistical and\njudgmental samples using data from the ITSM system and our observations during\nfieldwork performed at the locations included in the audit. We also selected a\njudgmental sample of 11 laptops and reviewed the historical activity in ITSM associated\nwith each laptop.\n\nTo further meet our audit objectives, we evaluated the SEC\xe2\x80\x99s procedures for reporting\nlost or stolen laptops. We interviewed OIT staff responsible for tracking laptops\nreported as lost or stolen and determined the disposition of assets reported missing\nduring the scope of the audit.\n\nTo determine whether the SEC effectively addressed prior recommendations for\ncorrective action from the OIG\xe2\x80\x99s Inspection Report No. 441, Controls Over Laptops\n(March 31, 2008), we reviewed recommendation closeout memoranda and discussed\nthe recommendations with OIT staff. We concluded that the OIG concurred with the\nactions taken and closed all recommendations during fiscal year 2009.\n\nInternal Controls. We obtained an understanding of the OIT\xe2\x80\x99s internal controls over\nlaptops and assessed the internal controls in accordance with the \xe2\x80\x9c[Committee of\nSponsoring Organizations] Model of Internal Control.\xe2\x80\x9d For our review of internal\ncontrols, we considered the following:\n\n     \xef\x82\xb7   Control Environment \xe2\x80\x93 We evaluated the SEC\xe2\x80\x99s control environment related to\n         laptops and determined that personnel at the ARO, the DRO, and NYRO did not\n         receive the agency\xe2\x80\x99s asset management and ITSM system training beyond the\n         introductory sessions.\n\n     \xef\x82\xb7   Risk Assessment \xe2\x80\x93 We determined that a risk assessment of laptop inventory\n         processes had not been conducted at the regional offices we visited. In addition,\n         we observed that the regional office IT Specialists were primarily concerned with\n         minimizing down-time for local users and not necessarily inventory management.\n\n     \xef\x82\xb7   Monitoring \xe2\x80\x93 We assessed the SEC\xe2\x80\x99s relevant monitoring activities and\n         determined that regional office IT Specialists periodically validated their own\n         laptop inventory. However, the regional office IT Specialists provided their\n         inventory listings to headquarters personnel only if requested.\n\n     \xef\x82\xb7   Control Activities \xe2\x80\x93 We reviewed the SEC\xe2\x80\x99s control activities related to laptops\n         and found that regional laptops were properly secured. Unissued laptops were\n         either stored in locked closets or IT work rooms with card reader access.\n\n\n29\n  \xe2\x80\x9cExistence testing\xe2\x80\x9d verified that a laptop included in the ITSM system actually existed and was in the\npossession of the person and at the location identified in the ITSM system. \xe2\x80\x9cCompleteness testing\xe2\x80\x9d\nverified that a laptop found in the possession of a person at a particular location was correctly recorded in\nthe ITSM system.\n\n\n\n\nREPORT NO. 524                                       20                                 SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                         OFFICE OF INSPECTOR GENERAL\n\n\n   \xef\x82\xb7   Information and Communication \xe2\x80\x93 We evaluated the SEC\xe2\x80\x99s information and\n       communication activities regarding controls over laptops and determined that\n       regional office IT staff were unfamiliar with OIT guidance concerning asset\n       management. Rather, they followed their own policies, which included creating\n       and maintaining local inventories instead of using the agency\xe2\x80\x99s ITSM system.\n\nOverall, we determined that the OIT\xe2\x80\x99s IT inventory program and controls over its laptops\nneed improving, as discussed in this report.\n\nComputer-processed Data. The Government Accountability Office\xe2\x80\x99s (GAO) Assessing\nthe Reliability of Computer-Processed Data (GAO-09-680G, July 2009) states that \xe2\x80\x9cdata\nreliability refers to the accuracy and completeness of computer-processed data, given\nthe uses they are intended for. Computer-processed data may be data (1) entered into\na computer system or (2) resulting from computer processing.\xe2\x80\x9d Furthermore, GAO-09-\n680G provides definitions for \xe2\x80\x9creliability,\xe2\x80\x9d \xe2\x80\x9ccompleteness,\xe2\x80\x9d and \xe2\x80\x9caccuracy.\xe2\x80\x9d\n\n   \xef\x82\xb7   \xe2\x80\x9cReliability\xe2\x80\x9d means that data are reasonably complete and accurate, meet your\n       intended purposes, and are not subject to inappropriate alteration.\n\n   \xef\x82\xb7   \xe2\x80\x9cAccuracy\xe2\x80\x9d refers to the extent that recorded data reflect the actual underlying\n       information.\n\n   \xef\x82\xb7   \xe2\x80\x9cCompleteness\xe2\x80\x9d refers to the extent that relevant records are present and the\n       fields in each record are populated appropriately.\n\nWe used computer-processed data extracted from the ITSM system. Testing performed\non the data helped us determine the data\xe2\x80\x99s completeness and accuracy. By testing the\nlaptop receiving log and interviewing AMB receiving staff, we determined that laptops\nwere added to the ITSM system as they were received; therefore, the inventory was\ncomplete. However, through testing of the laptop inventory, we determined that the\nuser and location information in the ITSM system was inaccurate, as discussed in this\nreport.\n\nUsing GAO\xe2\x80\x99s definition of \xe2\x80\x9creliability\xe2\x80\x9d and the results of our testing, we concluded that\nlaptop location and end user information in the ITSM system was inaccurate and,\ntherefore, unreliable. Our results demonstrate that OIT staff did not consistently update\nwithin the ITSM system each asset\xe2\x80\x99s assigned SEC facility, user, user location, and\ncurrent status (i.e., lost, stolen, or disposed).\n\nSampling Methodology. To accomplish our objectives, we selected from the SEC\xe2\x80\x99s IT\ninventory a statistical sample of 244 laptops. We also selected a judgmental sample of\nan additional 244 laptops, for a total of 488 laptops reviewed. We chose to select\nassets assigned to the SEC\xe2\x80\x99s headquarters and the NYRO because the majority of SEC\nlaptops were assigned to these facilities. In addition, we chose to include laptops\nassigned to the ARO and the DRO to ensure that representative regional office\noperations and activities were included in our review. According to the ITSM system, as\n\n\n\n\nREPORT NO. 524                              21                           SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                   OFFICE OF INSPECTOR GENERAL\n\n\nof April 1, 2014, about 65 percent of the SEC\xe2\x80\x99s total population of 5,525 laptops were\nassigned to the locations selected for review.\n\n    Statistical Sampling. Using the data included in the ITSM system as of April 1, 2014,\nwe developed a stratified statistical sample for the locations we reviewed. The sample\nsize for each location was determined using the following parameters and EZ-Quant\nstatistical software30:\n\n      a) a presumed error rate of 5 percent;\n\n      b) a desired maximum precision range of 10 percent; and\n\n      c) a desired confidence level of 90 percent.\n\nAfter the sample size was determined, we selected items from the inventory for testing\nusing EZ-Quant\xe2\x80\x99s random number generator. The total population at the locations\nreviewed was 3,601 laptops. A statistical sample of 244 laptops from the SEC\xe2\x80\x99s IT\ninventory records was selected to test as follows:\n\n      \xef\x82\xb7   74 of the 2,795 laptops assigned to the SEC\xe2\x80\x99s headquarters;31\n\n      \xef\x82\xb7   56 of the 120 laptops assigned to the ARO;\n\n      \xef\x82\xb7   52 of the 118 laptops assigned to the DRO; and\n\n      \xef\x82\xb7   62 of the 568 laptops assigned to the NYRO.\n\nWe visited the locations selected to verify each asset\xe2\x80\x99s existence and the accuracy of\nthe information recorded in the inventory (referred to as existence testing). As\ndiscussed in this report, we projected the results of our tests to the laptop populations at\neach location we visited to determine how many errors could be anticipated. We also\nused GAO guidance on statistical sampling to calculate the sampling error for each\nprojection.32\n\n    Judgmental Sampling. While performing existence testing, we judgmentally selected\nlaptops found on-site and traced them back to the inventory records to determine\n\n30\n  EZ-Quant is a suite of three statistical applications for performing statistical sampling, regression\nanalysis, and improvement curve analysis. The Defense Contract Audit Agency developed and tested it\nfor use in its audit processes.\n31\n   Initially, our headquarters sample included 21 laptops from the Operations Center. However, since OIT\nhad not updated the location information for any of the laptops assigned to the Operations Center, we\nremoved these assets from our sample and select 21 additional laptops from the SEC\xe2\x80\x99s headquarters\npopulation using the inventory dated April 1, 2014. We used EZ-Quant to verify that the sample size did\nnot change, even though the tested population was reduced. The sampling parameters and our\nmethodology for using EZ-Quant\xe2\x80\x99s random number generator for sample selection, verifying the existence\nof the laptops, and projecting our results to the population remained unchanged.\n32\n     GAO, Using Statistical Sampling, GAO/PEMD-10.1.6, Revised May 1992.\n\n\n\n\nREPORT NO. 524                                     22                               SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                 OFFICE OF INSPECTOR GENERAL\n\n\nwhether the records were accurate and complete (referred to as completeness testing).\nSpecifically, we judgmentally selected an additional 74, 56, 52, and 62 laptops (for a\ntotal of 244) found at the SEC\xe2\x80\x99s headquarters, the ARO, the DRO, and the NYRO,\nrespectively.\n\nPrior Coverage. In March 2008, the Office of Inspector General issued the inspection\nreport Controls over Laptops, Report No. 441.33 The report contained three findings\nrelated to the SEC\xe2\x80\x99s policy, inventory, and accountability for laptops. Specifically, we\nfound that the SEC had not identified laptops as sensitive property and annual\ninventories of sensitive property were not performed. Also, we could not determine the\ntotal number of laptops within the SEC and determined that OIT\xe2\x80\x99s AMB did not have\nappropriate controls over laptops and was unable to trace ownership to specific SEC\nemployees. The OIG attributed this issue to the AMB\xe2\x80\x99s failure to consistently complete\nsupporting property transaction forms.\n\nWe made five recommendations for corrective action, which are summarized below:\n\n          A \xe2\x80\x93 Revise draft policy to identify sensitive property.\n\n          B \xe2\x80\x93 Develop a method of accountability for sensitive property that would\n              ensure an accurate accounting of laptops.\n\n          C \xe2\x80\x93 Complete a full inventory of laptops to establish a baseline.\n\n          D \xe2\x80\x93 Establish clear accountability for laptops including documenting the SEC\n              employees who are issued and who receive equipment.\n\n          E \xe2\x80\x93 Create a form to account for sensitive property.\n\nAlthough the OIG concurred with the actions taken to address the recommendations\nand closed the recommendations during fiscal year 2009, we determined that the SEC\xe2\x80\x99s\ninventory over laptops is still inaccurate, as stated in this report.\n\n\n\n\n33\n   U.S. Securities and Exchange Commission, Office of Inspector General, Inspection Report No. 441,\nControls Over Laptops, March 31, 2008. The report can be accessed at:\nhttp://www.sec.gov/oig/reportspubs/ir441.pdf.\n\n\n\n\nREPORT NO. 524                                    23                              SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                       OFFICE OF INSPECTOR GENERAL\n\n\n\n       Appendix II. Federal Laws and Guidance and SEC\n          Administrative Regulations, Policies, and\n                         Procedures\n\nWe reviewed the following documents during the course of our fieldwork:\n\nFederal Laws and Guidance:\n\n   \xef\x82\xb7   Federal Manager\xe2\x80\x99s Financial Integrity Act of 1982, Pub. L. 97-255.\n\n   \xef\x82\xb7   GAO, Using Statistical Sampling, GAO/PEMD-10.1.6, Revised May 1992.\n\n   \xef\x82\xb7   GAO, Assessing the Reliability of Computer-Processed Data, GAO-09-680G,\n       July 2009.\n\n   \xef\x82\xb7   OMB Circular A-123 Revised, Management\xe2\x80\x99s Responsibility for Internal Control,\n       December 21, 2004.\n\n   \xef\x82\xb7   OMB Circular A-130 Revised, Transmittal Memorandum #4, Management of\n       Federal Information Resources, November 28, 2000.\n\nSEC Administrative Regulations, Policies, and Procedures:\n\n   \xef\x82\xb7   SEC Administrative Regulation SECR 09-02, Rev. 1, Property Management\n       Program, September 11, 2012.\n\n   \xef\x82\xb7   SEC Administrative Regulation SECR 09-03, Report of Survey Program,\n       March 18, 1996.\n\n   \xef\x82\xb7   SEC Administrative Regulation SECR 23-2a, Safeguarding Nonpublic\n       Information, January 21, 2000.\n\n   \xef\x82\xb7   SEC SOP-206-1309, AMB Reconciliation of Delphi-RF Code and Delphi-ITSM\n       Standard Operating Procedure, June 12, 2013.\n\n   \xef\x82\xb7   SEC AMB, AMB Ship Hardware Procedure (Draft), July 31, 2013.\n\n   \xef\x82\xb7   SEC AMB WI, Auditing IMACs with CoR, November 8, 2013.\n\n   \xef\x82\xb7   SEC AMB WI, Conducting Spot Inventories, November 8, 2013.\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0018, Release IT Hardware Asset Procedure, July 31, 2013.\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0022, AMB Receiving Procedure (Draft), July 12, 2013.\n\n\n\n\nREPORT NO. 524                             24                          SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                    OFFICE OF INSPECTOR GENERAL\n\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0022, Maintenance, Repair, and Return Material Authorization\n       Procedure (Draft), July 29, 2013.\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0025, Retire IT Hardware Asset Procedure, July 31, 2013.\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0036, Perform Inventory Audit Procedure, February 5, 2010.\n\n   \xef\x82\xb7   SEC ISS-AM-PD-0038, Manage Stock Levels Procedure, March 23, 2010.\n\n   \xef\x82\xb7   SEC ISS-PM-WI-0002 v.0.2, Manage Asset Record, September 14, 2010.\n\n   \xef\x82\xb7   Securities and Exchange Commission, Office of Information Technology,\n       Security Operations, SEC Incident Response Capability Handbook, April 2014.\n\n\n\n\nREPORT NO. 524                            25                        SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION        OFFICE OF INSPECTOR GENERAL\n\n\n\n              Appendix III. Management Comments\n\n\n\n\nREPORT NO. 524                            26            SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION        OFFICE OF INSPECTOR GENERAL\n\n\n\n\nREPORT NO. 524                            27            SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                    OFFICE OF INSPECTOR GENERAL\n\n\n\n        Appendix IV. OIG Response to Management\n                       Comments\n\nWe are pleased that the OIT concurred with all four recommendations for corrective\naction. Management\xe2\x80\x99s proposed actions are responsive to the recommendations;\ntherefore, the recommendations are resolved and will be closed upon completion and\nverification of appropriate corrective action. Full implementation of our\nrecommendations should strengthen the SEC\xe2\x80\x99s inventory controls over its laptop\ncomputers.\n\n\n\n\nREPORT NO. 524                            28                        SEPTEMBER 22, 2014\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\nTo Report Fraud, Waste, or Abuse, Please Contact:\n  Web:               www.reportlineweb.com/sec_oig\n\n  E-mail:            oig@sec.gov\n\n  Telephone:         (877) 442-0854\n\n  Fax:               (202) 772-9265\n\n  Address:           U.S. Securities and Exchange Commission\n                     Office of Inspector General\n                     100 F Street, N.E.\n                     Washington, DC 20549-2736\n\n\nComments and Suggestions\n  If you wish to comment on the quality or usefulness of this report or suggest ideas for\n  future audits, please contact Rebecca Sharek, Deputy Inspector General for Audits,\n  Evaluations, and Special Projects at sharekr@sec.gov or call (202) 551-6061.\n  Comments, suggestions, and requests can also be mailed to the attention of the\n  Deputy Inspector General for Audits, Evaluations, and Special Projects at the\n  address listed above.\n\n\n\n\nREPORT NO. 524                             29                           SEPTEMBER 22, 2014\n\x0c"